Major Hacker Incident in the Encryption Industry Revealed: Social Engineering Leads to $540 Million Loss

In the cryptocurrency industry, a notable hacker incident originated from a job application by a senior engineer. This engineer was originally employed by the development company of Axie Infinity, but inadvertently became involved in a carefully orchestrated scam that ultimately led to one of the largest hacker attacks in the crypto space.

The core of the incident is Axie Infinity's exclusive Ethereum sidechain Ronin. In March of this year, Ronin was hacked, resulting in the loss of up to $540 million in cryptocurrency. Although U.S. authorities later attributed the incident to the North Korean hacking group Lazarus, the specific details of the attack have not been fully disclosed.

According to industry insiders, the incident was triggered by a fake job advertisement. Someone contacted Sky Mavis employees through a professional social networking platform, encouraging them to apply for a company that does not actually exist. After multiple rounds of interviews, an engineer received an apparently generous job offer.

Subsequently, the engineer received a forged job offer presented in the form of a PDF document. When the engineer downloaded and opened this document, the Hacker software successfully infiltrated Ronin's system. The Hacker then took control of four out of the nine validation nodes on the Ronin network, just one step away from fully dominating the entire network.

Sky Mavis pointed out in a post-incident analysis that company employees have long faced advanced phishing attacks on various social channels, ultimately leading to the compromise of one employee's account. The attackers exploited this breach to successfully infiltrate Sky Mavis's IT infrastructure, thereby gaining access to the validation nodes.

Ronin adopts a "Proof of Authority" mechanism, centralizing the transaction signing authority in the hands of nine trusted validators. According to explanations from blockchain analysis companies, funds can be transferred as long as five validators approve. The attacker successfully obtained the private keys of five validators, thereby stealing the encryption assets.

Interestingly, the Hacker only controlled four validators through fake job advertisements and needed an additional validator to complete the attack. Sky Mavis disclosed that the Hacker ultimately leveraged the permissions of the Axie DAO to carry out the attack. The Axie DAO is an organization established to support the gaming ecosystem and assisted in processing a large number of transactions at the request of Sky Mavis in November 2021.

Sky Mavis admitted that, although the assistance from Axie DAO was halted in December 2021, the related access permissions were not revoked. This allowed attackers to obtain the necessary signatures from Axie DAO validators after gaining access to the Sky Mavis system.

In response to this incident, Sky Mavis increased the number of validation nodes to 11 a month after the Hacker attack and plans to expand it to over 100 in the long term. The company also raised $150 million in funding to compensate affected users and plans to start returning funds from June 28. In addition, the Ethereum bridge for Ronin has also been restarted.

It is worth noting that similar social engineering attack methods are not isolated cases. Recent investigations by security research institutions have shown that certain Hacker organizations frequently misuse professional social platforms and instant messaging software, targeting sensitive industries such as aerospace and defense contractors.

In response to such threats, security experts recommend that industry professionals should:

1. Continuously monitor the security intelligence of major threat platforms and conduct self-assessments.
2. Perform necessary security checks before running the executable.
3. Implement a zero trust mechanism to effectively reduce related risks.
4. Keep the real-time protection of the security software enabled and update the virus database in a timely manner.

This incident reminds us once again that in the digital asset space, we must not only pay attention to technical vulnerabilities but also be vigilant about security threats posed by human factors such as social engineering.